Merge remote-tracking branch 'origin/topic/timw/1991-tunnel-swapping'

* origin/topic/timw/1991-tunnel-swapping: GH-1991: Add option to limit the number of tunnel_changed events (cherry picked from commit 0ae485f)
zeek · Jun 22, 2022 · acfbb91 · acfbb91
1 parent 2f4c066
commit acfbb91
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 1 deletion.
diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek
@@ -403,6 +403,13 @@ export {
 		## cross-references the *uid* field of :zeek:type:`connection`.
 		uid: string &optional;
 	} &log;
+
+	## The number of tunnel_changed events that will be sent for a connection. Once this
+	## limit is hit, no more of those events will be sent to avoid a large number of events
+	## being sent for connections that regularly swap. This can be set to zero to disable
+	## this limiting.
+	const max_changes_per_connection: count = 5 &redef;
+
 } # end export
 module GLOBAL;
 

diff --git a/src/Conn.cc b/src/Conn.cc
@@ -96,8 +96,13 @@ void Connection::CheckEncapsulation(const std::shared_ptr<EncapsulationStack>& a
 		{
 		if ( *encapsulation != *arg_encap )
 			{
-			if ( tunnel_changed )
+			if ( tunnel_changed &&
+			     (zeek::detail::tunnel_max_changes_per_connection == 0 ||
+			      tunnel_changes < zeek::detail::tunnel_max_changes_per_connection) )
+				{
+				tunnel_changes++;
 				EnqueueEvent(tunnel_changed, nullptr, GetVal(), arg_encap->ToVal());
+				}
 
 			encapsulation = std::make_shared<EncapsulationStack>(*arg_encap);
 			}

diff --git a/src/Conn.h b/src/Conn.h
@@ -265,6 +265,7 @@ class Connection final : public session::Session
 	int suppress_event; // suppress certain events to once per conn.
 	RecordValPtr conn_val;
 	std::shared_ptr<EncapsulationStack> encapsulation; // tunnels
+	uint8_t tunnel_changes = 0;
 
 	detail::ConnKey key;
 

diff --git a/src/NetVar.cc b/src/NetVar.cc
@@ -193,6 +193,8 @@ int record_all_packets;
 
 bro_uint_t bits_per_uid;
 
+bro_uint_t tunnel_max_changes_per_connection;
+
 	} // namespace zeek::detail. The namespace has be closed here before we include the netvar_def
 	  // files.
 
@@ -343,6 +345,9 @@ void init_net_var()
 	dpd_match_only_beginning = id::find_val("dpd_match_only_beginning")->AsBool();
 	dpd_late_match_stop = id::find_val("dpd_late_match_stop")->AsBool();
 	dpd_ignore_ports = id::find_val("dpd_ignore_ports")->AsBool();
+
+	tunnel_max_changes_per_connection =
+		id::find_val("Tunnel::max_changes_per_connection")->AsCount();
 	}
 
 	} // namespace zeek::detail
diff --git a/src/NetVar.h b/src/NetVar.h
@@ -94,6 +94,8 @@ extern int record_all_packets;
 
 extern bro_uint_t bits_per_uid;
 
+extern bro_uint_t tunnel_max_changes_per_connection;
+
 // Initializes globals that don't pertain to network/event analysis.
 extern void init_general_global_var();